The present invention relates generally to a method for detecting and preventing unauthorized or illegal access attempts within a computer system. More specifically, the present invention relates to a method for detecting and preventing attempts to exploit the buffer overflow-related weakness within a computer system.
Modern computers are designed according to the requirements of high-level programming languages. A fundamental technique for the structured design of computer programs, associated with the high-level languages, is the procedure or the function.
Procedures or functions are computer programs. A procedure call or a function call is a high-level programming concept that modifies the flow of the calling program execution. In contrast with the more traditional xe2x80x9cjumpxe2x80x9d or xe2x80x9cgotoxe2x80x9d instructions, which also alter the flow of execution, a procedure or a function, after the execution of its own code, returns control to the instruction immediately following the call. To implement procedure or function calls in the manner described a memory device called a stack is utilized.
A stack is a contiguous section of memory containing data, the size thereof is dynamically adjusted by the operating system routines at run time. The data is inserted to and removed from the stack by the Central Processing Unit (CPU) utilizing Assembler language instructions such as xe2x80x9cpushxe2x80x9d or xe2x80x9cpop.xe2x80x9d
The stack contains related information units such as logical stack frames or Procedure Activation Records that are inserted therein when a function is called and removed when the function returns control to the calling program.
The stack frame itself contains parameters to the called function, local variables, pointers to recover the previous stack frame, saved values of the CPU registers, and the return address of the calling computer program. The return address is the instruction pointer of the calling program at the time of the function call.
Induced buffer overflow or buffer overflow attack is known in the art. Buffer overflow attacks take advantage of the lack of bounds checking on the size of input being stored in a buffer array. Arrays are predefined allocated memory devices within a computer system. An attacker can make erratic changes to data stored adjacent to an allocated array by writing data intentionally past the end the array. The most typical data structure to be corrupted in this fashion is the stack. Therefore this type of attack is also known as stack smashing.
The prevalent form of buffer overflow exploitation is to attack buffers allocated on the stack. One objective of such an attack is inserting an attack code in the form of an executable object code native to the attacked machine. Another objective is to change the return address to point to the attack code now residing on the stack. Such attack code may be utilized to gain enhanced privileges over the computer system.
The programs that are attacked using this technique are usually high privilege utilities or daemons that run under the user-id root to perform essential services. The effect of a successful buffer overflow attack is to provide the attacker non-authorized root privileges. Gaining root privileges within a computer system allows non-authorized users access to privileged resources.
As the maximum length of the overflowing data string can be only the current depth of the stack, the inserted attack code should be short in terms of code length. Writing data outside the stack limit will result in an exception condition that will prevent the attack code to execute. Therefore, the buffer overflow attacker will be forced to write short code and will have to use high-level System calls or Library calls. Such calls will later be utilized to gain non-authorized enhanced privileges to access privileged resources.
Several strategies that attempt to resolve the buffer overflow weakness are known in the art. One such strategy is to design a compiler designed to prohibit a computer program from writing past a stack segment array. Another strategy is to detect buffer overflow vulnerable programs off line and alert the user to the possibility that the system privileges may be compromised.
Another known strategy is using a repair program. The repair program can repair or fix those vulnerable programs that can be used to exploit the buffer overflow weakness.
None of the above provide a method and apparatus for prevention of buffer overflow through controlled execution of system or other calls within a computer system.
One aspect of the present invention regards a computer system running an operating computer platform that includes a kernel space and a process space. The process space includes a user application operative to intercept system calls running in said process space and a method of secure function execution. The method of secure function execution comprises the steps of examining the intercepted system call validity by comparing the intercepted system call originating address with range of process valid addresses associated with the process from which the intercepted system call originated.
A second aspect of the present invention regards a computer system running an operating system platform, the operating system including a kernel space and a process space. The process space includes a user application running in process space, the user application is operative to intercept library calls. A method of secure function execution examines the intercepted library call validity by comparing the intercepted library call originating address with range of process valid addresses associated with the process from which the intercepted library call originated.
A third aspect of the present invention regards a computer system running an operating system platform. The operating system includes a kernel space and a process space. The process space includes a user application running in process space. The user application is operative to system and function calls, system or function calls intercepted, and a method of secure function execution. The method comprises the steps of receiving a caller routine return address from the process memory device and determining whether the caller routine address is valid by comparing the caller routine address with a process valid address table.
A fourth aspect of the present invention regards a computer system running an operating system platform. The operating system includes a kernel apace and a process space. The process space includes a user application running in process space. The user application is operative to system and function calls, system or function calls intercepted, and a method of secure function execution, The method comprises the steps of receiving a caller routine return address from said process memory device and determining whether the caller routine address is valid by comparing the caller routine address with an associated process stack address area.
Each of the above aspects of the present invention may provide the advantage of identifying unauthorized or illegal access attempts to software objects within a computer system.
Each of the above aspects of the present invention may provide the advantage of preventing unauthorized or illegal attempts to open, process or delete software objects within a computing environment.
Each of the above aspects of the present invention may provide the advantage of preventing attempts by potential intruders to exploit the buffer overflow-related weakness within a computing environment.